Pwned Vulnhub Walkthrough

Pwned vulnhub challenge is an easy boot2root machine. One of the key take away from this machine is how you can escalate your privileges using Dockers. This blog post is about how I exploited this machine and what are the different tools I used to make that happen.

Below are the requirements:

  1. You can get the virtual machine from here : https://www.vulnhub.com/entry/pwned-1,507/
  2. I used Kali as a penetration testing machine here, you can use your own environment.

Let’s dive in:

  1. Finding out the target IP address:
    I used netdiscover tool to find out the IP of the target machine. In my case, the IP address is 192.168.40.40
  2. Gathering information and Scanning:
    Once you have the IP address, it is time to look around in the target and finding what can be the attack vectors here. I did a quick nmap scan with below command:

    #nmap -sV -O 192.168.40.40 -p-

    Ports 21,22 and 80 are open.
    Checking the website on the browser and viewing the source gave some hint but it wasn’t enough to decide on the next step of the attack.
    So, I did a directory fuzzing to see if there is something useful. I used gobuster command line tool to do it.

    There are 2 directories which came up on Fuzzing:
    nothing/
    hidden_text/

    I have checked nothing but it literally contains nothing so we removed that possibility right away.
    Under hidden_text directory, there is a dictionary file called secret.dic. I downloaded this and this is what the data looks like:

    From the looks of it, the above data looked more of directory listings not passwords or something.
    So, again a quick directory search have out that ,there is pwned.vuln which actually exist under the root.

    If you open http://192.168.40.40/pwned.vuln on your browser, you will find a form and if you look into the source code of the page, you will see login creds to FTP.

  3. Inside the machine:
    When you will login into FTP with these creds, you will find a /share folder which contains two files id_rsa (private ssh key) and note.txt.


    I downloaded both of those files in my local machine using ftp’s get command.Now, since we have the private keys we can SSH login through that into the machine.
    #ssh -i id_rsa 192.168.40.40

    We found the first Flag on Ariana’s machine.

  4. We still do not have root, so we are again back to finding our attack vectors.
    While I was looking for more clues, I found “messenger.sh” under the /home/
    If you look at it, it is a simple shell script which echo’s out the “given” value by the user. Now I have tried running and exploiting the file multiple times but I always ended up getting Ariana’s bash but not root or even selena’s.

    Here is what I was doing wrong, I went back to square one and did “sudo -l” command which will list the programs that have SUID bit set and “messenger.sh” showed up in the list as below:

    Now, If you read the above information correctly, you will know that the file can be Ran by user “Selena” without no password and we have to figure out a way to run it as that user, so after googling I found a sudo command with the flag “-u”, the flag cause you to run the specified command as a user other than root.

    So below command will run the messenger.sh as selena:
    #sudo -u selena messenger.sh
    and then in enter the messenger you put /bin/bash, you will get shell for selena!

  5. Now, the next step was to get the root access, it took me a while to come to docker process, It was right there in the id command output but I was thinking that there will be another shell script that can get me root. Anyways, now that I’ve got to know about the docker process which is running for user selena, I googled on how to escalate privileges with docker : https://gtfobins.github.io/gtfobins/docker/

    so running this got me the root access and the last flag:
    #docker run -v /:/mnt –rm -it alphine chroot /mnt sh

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll Up
%d bloggers like this: